Businesses concerned about the security of cloud-computing systems should appoint a 'cloud purchasing czar' whose sole responsibility is to evaluate cloud service providers (CSPs) and manage their interactions between business and IT executives, a leading security consultant has advised.

Speaking at the recent CSO Perspectives Roadshow, BRM Holdich director of information security and IT assurance Jo Stewart-Rattray said the czar model – promoted by the likes of Gartner analyst Daryl Plummer – offers the important ability to bring order to what is often a chaotic process of cloud-system purchasing and deployment.

“The czar is an independent arbiter who receives cloud purchase requests, gathers intelligence as to what the business might need,,” she explained, “and then presents back to the IT leaders what the business users need – and any pitfalls there might be. They then allow the business to make the decisions.”

Empowering the business in a structured way is critical to ensure that credit card-wielding employees don't compromise information security controls by simply running up their own cloud-based services without central control or recourse. Such 'shadow IT' remains a major problem for organisations working to come to grips with the implications of cloud models.

Because the czar maintains relationships across the business, they also have the important role of being able to identify potential savings and “establishing that discussion with Finance,” Stewart-Rattray said, noting that the czar would be a specialised assistant to existing CIOs.

“Ultimately, CIOs sign off on it,” she said. “All you're doing is giving the task to someone to go out and do the legwork for you. If [I were a CIO and] someone did cloud without my knowledge, I would be miffed to the nth degree – but if they did it with my involvement, I would be chuffed that there was a specialist to go out and present those options for me. I could then go and present those options to my fellow members on the executive, and with hand on hard be able to say 'this is independent advice'.”

Stewart-Rattray, whose other advice around cloud security included paying extra attention to contract conditions for storing and managing data, noted that a cloud purchasing czar would also offer value in addressing security requirements around telecommunications and cloud services.

By working with potential CSPs and third-party cloud-services brokers at an early stage, the czar would be able to maintain a level of assurance around potential providers of telecommunications services, ensuring that they can deliver an end-to-end security infrastructure.

“There are organisations becoming cloud services brokers who look at these issues from end to end, and this is the sort of person that your cloud purchasing czar would hook into,” she said.

“They could have that sort of discussion and investigation to see that it's going to be as secure as possible from end to end, and that it meets your requirements from end to end. Due diligence is absolutely key, as it always has been, in the selection of service providers.”

Latest Videos

​Email fraud is nothing new, but online criminals have become ever more-effective at spoofing their identities to trick employees into sending them money. The Australian Centre for Cyber Security (ACSC) recorded losses of over $20M to business email compromise (BEC) attacks last year alone, up 230 percent over the previous year – and the full amount is certain to be much larger.​

No matter how robust your security, or how diligent your employees, network credentials are a free pass for cybercriminals. This is mostly because employees are relied upon for their own password management. And with more than 4.8 billion sets of stolen credentials said to be available online, odds are that at least a few of your employees’ user IDs and passwords are just waiting to be used by unscrupulous outsiders. Are you ready to stop them?

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.